Defence in depth is one of many marketing terms that circulate in the cyber security space. It’s a simple enough phrase whose meaning appears straight forward, but what does it really mean in a cyber context and how can it help to protect our systems from attack?
The bottom line is there are no silver bullets when it comes to cyber security. There is no such thing as a ‘one size fits all’ solution and no single method for successfully protecting a computer network against either insider or outsider threats. The reality is, anyone who tries to tell you differently is also trying to sell you something.
Any security professional worth their salt will tell you categorically there is no way to 100% secure your IT network against all possible threats. All anyone can really do is work out what level of risk you are willing to live with and take steps to counter the rest.
So, why is defence in depth widely considered to be the way to go? Simply, it calls for security to be applied in multiple layers and works on the principle that each layer provides a different type of protection, giving us the best chance of stopping an attack from getting through. While individually these layers will offer some protection in themselves, by using several there is better all-round coverage against multiple threats and no single point of failure.
What price security?
The drawback to this approach is having multiple layers of security means everything becomes more complicated to manage. Rather like having multiple passwords to access different accounts, this can lead to impatience, shortcuts and things being forgotten. Security is a balancing act and getting the mix of security and usability right is a difficult task.
Single vs multiple vendors
Some of this complexity can be managed by using a suite of products from a single vendor, but this comes with downsides. The advantage is that you get all the products which can be managed from a central console and report on in a single hit; but adversely, using a single vendor runs the risk of restricting your defences. Although different vendors will likely be able to identify most of the same viruses, there will always be a level of variation. Having two types of anti-virus minimises the chance of something slipping through the net but means there are two products to keep up to date and sometimes different products don’t work that well together.
And depending on the size of your organisation, budget, nature of the data you’re trying to protect, the type of attacks you’re likely to be targeted by and what degree of risk you’re happy to take, there really isn’t a single list of measures you should or shouldn’t apply to protect an IT network.
Who are we trying to keep out?
Deciding what security measures are right for an IT system will depend on an understanding of who or what you are up against. The threat should, at least in part, influence what sort of digital security measures are best for a particular system and they can be tailored towards the specific abilities, capabilities and goals of the attacker.
The types of adversary an organisation is likely to encounter each have their own distinct motivations and capabilities and can be broadly categorised as the following:
Understanding where the threat is coming from can help organisations to direct their resources and plan their security more effectively and this also helps show that ‘one size fits all’ is not a sensible approach.
Components for a defence in depth security solution
The first layer is a firewall, which acts as a perimeter fence and makes sure only the right information can enter and leave a network. Although it won’t stop every attacker, a well configured firewall should be enough to keep the more opportunistic ones out. Yet setting up a firewall so that it allows employees to do their jobs without letting the bad guys in can be tricky.
Another common solution used as a perimeter fence is an Intrusion Detection System or IDS. Rather than blocking attacks, it watches an IT system and identifies anything that doesn’t look right. Essentially it acts as an early warning system, allowing you to take action as soon as something suspicious is detected and hopefully before any damage is done.
Although at a glance, using either or both of the above may seem like the only solutions you need to keep your network secure, this just isn’t the case; the number of ways to set up a firewall incorrectly, which will invoke a false sense of security, is almost infinite.
Keeping logs is another form of defence layer. They can be generated for just about any and every action which occurs within a network and can generate a large amount of data that needs to be stored somewhere and may be intimidating for anyone wanting to look through it to find something specific. However, it is worth the effort as it can help identify incidents and aid a response. If monitored properly, logs can tell you a lot about suspicious behaviour, if something isn’t working properly or if parts of the network need tighter security controls. Logs can also help work out how someone has been able to attack successfully and how this can be prevented from happening again.
System hardening is the process of making sure there is as little opportunity as possible for attackers to find an opening. In terms of securing a network, this means going through and making sure unnecessary programmes are not running, making sure all the latest security updates are installed and that system access is locked down to only those who need it, among other steps. It is a good option to take to reduce any residual risk once other layers have been applied.
Penetration testing can also form part of this layered approach and is highly effective in terms of identifying what gaps may be present, acted upon and fixed before the ‘bad guys’ exploit them.
People power
The line between cyber and physical security policies for employees is blurred as they are both intended to govern actions, behaviour and responses. With cyber security policies, the goal is to ensure everyone knows what to do in the event of a suspected compromise, limit the opportunities for malicious or accidental disruption and to maximise the chance of quickly identifying any security breach.
Employee screening should provide a reasonable level of confidence that staff can be trusted, while a ‘Least Privilege’ approach only allows the minimal level of access to systems and assets needed for someone to do their role. Separation of duties makes sure that sensitive processes or privileges are not assigned to a single person, and implementing an exit policy, such as revoking any IT or physical access an employee had, minimises the opportunity for harmful reactions.
Staff training and awareness seems obvious but cannot be underestimated in its importance. This means simple things such as making users change their passwords every few weeks and using a different password for each system or clicking on suspicious links or attachments – and letting them know the serious reasons why and the consequences. Awareness of the threats an organisation faces can promote buy-in from employees to report security incidents so they can be responded to swiftly.
In the event of disaster
If the worst happens, in terms of IT systems this means making sure there is back up, ideally off-site and that this is maintained on an appropriate timescale. Disaster recovery testing should be carried out periodically to ensure it works properly. Nobody wants the worst case scenario to become a reality but being prepared to deal with it if it happens can make the difference between survival or going under.
Although there are a multitude of ways to protect a computer network and each has its merits, any single solution will leave gaps which will open you up to attack. Also, every IT system is different, so the ways in which you protect yours will be different to somebody else’s. Using guidance provided by organisations such as the NCSC (National Cyber Security Centre) or CIS (Centre for Internet Security), or an outside organisation which provides the associated secure services to assist or help review systems is another way to be confident that the steps you have taken are the right ones.
Security may not be a department which generates revenue, nor is it a ‘fire and forget’ exercise. It should be a topic of constant focus, always evolving as a network and organisation evolves. Overall, defence in depth is rather like an insurance policy – the value is hard to determine until your house burns down.
To learn more about cyber security and how your business can stay protected from threats, visit the Cyber Essentials Online website.
If you would like to join our community and read more articles like this then please click here.
Context Information Security cyber essentials cyber security Defence in Depth Katherine Abercrombie